4.14 Adding System Requirements for a Policy

The System Requirements panel lets you define specific requirements that a device must meet for the specified version of the policy to be assigned to it. You can choose to edit the requirement.

You define requirements through the use of filters. A filter is a condition that must be met by a device in order for the policy to be applied. For example, you can add a filter to specify that the device must have exactly 512 MB of RAM in order for the policy to be applied, and you can add another filter to specify that the hard drive be at least 20 GB in size.

To create system requirements for a policy:

  1. In ZENworks Control Center, click the Policies tab.

  2. Click the underlined link for the desired policy to display the policy’s Summary page.

  3. Click the Requirements tab.

  4. Click Add Filter, select a filter condition from the drop-down list, then fill in the fields.

    As you construct filters, you need to know the conditions you can use and how to organize the filters to achieve the desired results. For more information, see Section 4.14.1, Filter Conditions and Section 4.14.2, Filter Logic.

  5. (Conditional) Add additional filters and filter sets.

  6. Click Apply to save the settings.

4.14.1 Filter Conditions

You can choose from any of the following conditions when creating a filter:

Architecture: Determines the architecture of Windows running on the device. The condition you use to set the requirement includes a property, an operator, and a property value. The possible operators are equals (=) and does not equal (<>). For example, if you set the condition to architecture = 32, the device’s Windows operating system must be 32-bit to meet the requirement.

Bundle Installed: Determines if a specific policy is installed. After specifying the bundle, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the specified bundle must already be installed to meet the requirement. If you select No, the bundle must not be installed.

Configuration Location: Determines if the policy is applicable to a specific location. The condition you use to set the requirement includes an operator and a value. The possible operators are equals (=) and does not equal (<>). The values are the existing locations in the Management Zone. For example, if you set the condition to =location_name, the selected location must match the device’s location to meet the requirement.

NOTE:This system requirement is applicable for Linux Configuration Policies and Windows Configuration Policies only.

Configuration Network Environment: Determines if the policy is applicable to a specific network environment. The condition you use to set the requirement includes an operator and a value. The possible operators are equals (=) and does not equal (<>). The values are the existing network environments in the Management Zone. For example, if you set the condition to =network_environment_name, the selected network environment must match the device’s current network environment to meet the requirement.

NOTE:This system requirement is applicable for Linux Configuration Policies and Windows Configuration Policies only.

Connected: Determines if the device is connected to a network. The two conditions you can use to set the requirement are Yes and No. If you select Yes, the device must be connected to the network to meet the requirement. If you select No, it must not be connected.

Connection Speed: Determines the speed of the device’s connection to the network. The condition you use to set the requirement includes an operator and a value. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The possible values are bits per second (bps), kilobits per second (Kbps), megabits per second (Mbps), and gigabits per second (Gbps). For example, if you set the condition to >= 100 Mbps, the connection speed must be greater than or equal to 100 megabits per second to meet the requirement.

Disk Space Free: Determines the amount of free disk space on the device. The condition you use to set the requirement includes a disk designation, an operator, and a value. The disk designation must be a local drive map (for example, c: or d:). The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The possible values are bytes (Bytes), kilobytes (KB), megabytes (MB), and gigabytes (GB). For example, if you set the condition to c: >= 80 MB, the free disk space must be greater than or equal to 80 megabytes to meet the requirement.

Disk Space Total: Determines the amount of total disk space on the device. The condition you use to set the requirement includes a disk designation, an operator, and a value. The disk designation must be a local drive map (for example, c: or d:). The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The possible values are bytes (Bytes), kilobytes (KB), megabytes (MB), and gigabytes (GB). For example, if you set the condition to c: >= 40 GB, the total disk space must be greater than or equal to 40 gigabytes to meet the requirement.

Disk Space Used: Determines the amount of used disk space on the device. The condition you use to set the requirement includes a disk designation, an operator, and a value. The disk designation must be a local drive map (for example, c: or d:). The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The possible values are bytes (Bytes), kilobytes (KB), megabytes (MB), and gigabytes (GB). For example, if you set the condition to c: <= 10 GB, the used disk space must be less than or equal to 10 gigabytes to meet the requirement.

Environment Variable Exists: Determines if a specific environment variable exists on the device. After specifying the environment variable, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the environment variable must exist on the device to meet the requirement. If you select No, it must not exist.

Environment Variable Value: Determines if an environment variable value exists on the device. The condition you use to set the requirement includes the environment variable, an operator, and a variable value. The environment variable can be any operating system supported environment variable. The possible operators are equal to, not equal to, contains, and does not contain. The possible variable values are determined by the environment variable. For example, if you set the condition to Path contains c:\windows\system32, the Path environment variable must contain the c:\windows\system32 path to meet the requirement.

File Date: Determines the date of a file. The condition you use to set the requirement includes the filename, an operator, and a date. The filename can be any filename supported by the operating system. The possible operators are on, after, on or after, before, and on or before. The possible dates are any valid dates. For example, if you set the condition to app1.msi on or after 6/15/07, the app1.msi file must be dated 6/15/2007 or later to meet the requirement.

File Exists: Determines if a file exists. After specifying the filename, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the specified file must exist to meet the requirement. If you select No, the file must not exist.

File Size: Determines the size of a file. The condition you use to set the requirement includes the filename, an operator, and a size. The filename can be any file name supported by the operating system. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The possible sizes are designated in bytes (Bytes), kilobytes (KB), megabytes (MB), and gigabytes (GB). For example, if you set the condition to doc1.pdf <= 3 MB, the doc1.pdf file must be less than or equal to 3 megabytes to meet the requirement.

File Version: Determines the version of a file. The condition you use to set the requirement includes the filename, an operator, and a version. The filename can be any file name supported by the operating system. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=).

Be aware that file version numbers contain four components: Major, Minor, Revision, and Build. For example, the file version for calc.exe might be 5.1.2600.0. Each component is treated independently. For this reason, the system requirements that you set might not provide your expected results. If you do not specify all four components, wildcards are assumed.

For example, if you set the condition to calc.exe <= 5, you are specifying only the first component of the version number (Major). As a result, versions 5.0.5, 5.1, and 5.1.1.1 also meet the condition.

However, because each component is independent, if you set the condition to calc.exe <= 5.1, the calc.exe file must be less than or equal to version 5.1 to meet the requirement.

IP Segment: Determines the device’s IP address. After specifying the IP segment name, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the device’s IP address must match the IP segment. If you select No, the IP address must not match the IP segment.

Linux Service Pack: Determines whether the Linux Operating System on the managed device has been upgraded to a particular Service Pack. For example, if you add a system requirement, Linux Service Pack >= 2, if using a SLES 10 box, the requirement is satisfied only when the Operating System has been upgraded to SLES 10 SP 2. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=).

Linux Kernel Version: Determines the version of the core Linux kernel installed on the managed device. For example, if you add a system requirement, Linux Kernel Version >= 2.6, then the requirement evaluates to true only if kernel version is actually greater than or equal to 2.6, say if it's 2.6.16 and so on. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=).

Linux Distribution: Determines the flavour of the Linux Operating System installed and differentiates between architecture and version of the desktop or server installed. For example, if you add a system requirement, Linux Distribution = SUSE Linux Enterprise Desktop 11 - i586, then the requirement evaluates to true only on SLED 11 32 bit managed devices. The possible operators are equals (=) and does not equal (<>).

Logged on to Primary Workstation: Determines whether the user is logged on to his or her primary workstation. The two conditions you can use to set the requirement are Yes and No. If you select Yes, the user must be logged on to his or her primary workstation to meet the requirement. If you select No, and no user is logged on to the workstation, the requirement is not met. However, if a user other than the primary user is logged on to the workstation, the requirement is met.

Memory: Determines the amount of memory on the device. The condition you use to set the requirement includes an operator and a memory amount. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The memory amounts are designated in megabytes (MB) and gigabytes (GB). For example, if you set the condition to >= 2 GB, the device must have at least 2 gigabytes of memory to meet the requirement.

Novell Client Installed: Determines if the device is using the Novell Client for its network connection. The two conditions you can use to set the requirement are Yes and No. If you select Yes, the device must be using the Novell Client to meet the requirement. If you select No, it must not be using the Novell Client.

Operating System - Windows: Determines the service pack level, server type, and version of Windows running on the device. The condition you use to set the requirement includes a property, an operator, and a property value. The possible properties are service pack, server type, and version. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The property values vary depending on the property. For example, if you set the condition to version = Windows XP Versions, the device’s Windows version must be XP to meet the requirement.

NOTE:Be aware that operating system version numbers contain four components: Major, Minor, Revision, and Build. For example, the Windows 2000 SP4 release’s number might be 5.0.2159.262144. Each component is treated independently. For this reason, the system requirements that you set might not provide your expected results.

For example, if you specify Operating System - Windows in the first field, Version in the second field, > in the third field, and 5.0 -Windows 2000 Versions in the last field, you are specifying only the first two components of the version number: Major (Windows) and Minor (5.0). As a result, for the requirement evaluated to true, the OS will have to be at least 5.1 (Windows XP). Windows 2003 is version 5.2, so specifying > 5.2 will also evaluate to true.

However, because each component is independent, if you specify the version > 5.0, Windows 2000 SP4 evaluates to false because the actual version number might be 5.0.2159.262144. You can type 5.0.0 to make the requirement evaluate as true because the actual revision component is greater than 0.

When you select the OS version from the drop-down, the Major and Minor components are populated. The Revision and Build components must be typed in manually.

Primary User Is Logged In: Determines if the device’s primary user is logged in. The two conditions you can use to set the requirement are Yes and No. If you select Yes, the primary user must be logged in to meet the requirement. If you select No, the user must not be logged in.

Processor Family: Determines the device’s processor type. The condition you use to set the requirement includes an operator and a processor family. The possible operators are equals (=) and does not equal (<>). The possible processor families are Pentium, Pentium Pro, Pentium II, Pentium III, Pentium 4, Pentium M, WinChip, Duron, BrandID, Celeron, and Celeron M. For example, if you set the condition to <> Celeron, the device’s processor can be any processor family other than Celeron to meet the requirement.

Processor Speed: Determines the device’s processor speed. The condition you use to set the requirement includes an operator and a processor speed. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The possible processor speeds are hertz (Hz), kilohertz (KHz), megahertz (MHz), and gigahertz (GHz). For example, if you set the condition to >= 2 GHz, the device’s speed must be at least 2 gigahertz meet the requirement.

Registry Key Exists: Determines if a registry key exists. After specifying the key name, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the specified key must exist to meet the requirement. If you select No, the key must not exist.

Registry Key Value: Determines if a registry key value exists on the device. The condition you use to set the requirement includes the key name, the value name, an operator, a value type, and a value data. The key and value names must identify the key value you want to check. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=). The possible value types are INT_TYPE and STR_TYPE. The possible value data is determined by the key, value name, and value type.

If the value type is String Type, ZCM compares only those values in the registry if the actual type in the registry is REG_STRING or REG_EXPANDED_STRING.

If the value type is Integer, ZCM compares only those values in the registry if the actual type in the registry is REG_DWORD.

Leave the key value field blank to use the default value. The default value of a registry key has no name and is displayed in regedit as (Default).

For example, if you specify HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Messenger\Login as the key name, Port as the value name, select = as the operator, select Integer Type as the value type, and specify 443 as the value data, the port specified as the value data must match with the port specified in the registry key to meet the requirement.

If the value type is IP Address, ZCM compares only those values in the registry if the actual type in the registry is REG_STRING.

NOTE:The filter condition Registry Key Value is available only for Windows policies. The value type IP Address for Registry Key Value is applicable only in VDI environments (VMwareVDI and CitrixVDI).

If you have set the condition to Registry Key Value and selected IP Address as the value type, then the two conditions that you can use to set the requirements are Is in Subnet and Is not in Subnet. If you select Is in Subnet, then the thin-client IP address of the device must be within a specific subnet. If you select Is not in Subnet, then the thin-client IP address of the device must be outside the subnet.

Specify the following in the text fields:

  • Path of the registry key that should be compared

  • Name of the registry value, for example: ViewClient_IP_Address

  • IP Address of the network and a subnet mask to compare in order to determine if the device is within the segment (Example: 10.0.0.0/24)

For the VMware-VDI Environment

If you are connected to a VMware desktop from any thin client, the following registry key will be created automatically in the VMware desktop, indicating the thin-client IP address through which it is connected. You can use the same Registry key as a filter to specify the filter requirement.

Example 4-1 Example:

Registry key Path: HKEY_CURRENT_USER\Volatile Environment

Registry key Name: ViewClient_IP_Address

Value: This specifies the thin-client IP address through which you are connected to the VMware desktop. This value should be in the CIDR format for both Is in Subnet and Is not in Subnet (Example: 10.0.0.0/24).

For the Citrix- VDI Environment

If you are connected to a Citrix desktop from any thin client, the following registry key will be created automatically in the Citrix desktop, indicating the thin-client IP address through which it is connected. You can use the same registry key as a filter to specify the filter requirement.

Example 4-2 Example:

Registry key path: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Ica\Session

Registry key name: ClientAddress

Value: This specifies the thin-client IP address through which you are connected to the Citrix desktop (Example: 10.0.0.0/24).

Registry Key and Value Exists: Determines if a registry key and value exists. After specifying the key name and value, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the specified key and value must exist to meet the requirement. If you select No, the key and value must not exist.

Security Location: Determines if the policy is applicable for a specific security location. The condition you use to set the requirement includes an operator and a value. The possible operators are equals (=) and does not equal (<>). The values are the existing security locations in the Management Zone. For example, if you set the condition to =security_location_name, the selected security location must match the device’s security location to meet the requirement.

NOTE:This system requirement is applicable for Linux Configuration Policies and Windows Configuration Policies only. The system requirement is applied to a managed device only if the Location Assignment Policy has been applied to the device. If the policy has Security Location system requirement configured, the policy enforcement fails on Windows Server 2003 and Windows Server 2008 devices because the ZENworks Endpoint Security Management policies are not supported on these devices.

Service Exists: Determines if a service exists. After specifying the service name, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the service must exist to meet the requirement. If you select No, the service must not exist.

Specified Devices: Determines if the device is one of the specified devices. After specifying the devices, the two conditions you can use to set the requirement are Yes and No. If you select Yes, the device must be included in the specified devices list to meet the requirement (an inclusion list). If you select No, the device must not be included in the list (an exclusion list).

Version of RPM: Determines the version of the RPM name provided if installed. For example, if you add a system requirement, Version of RPM cups > 1.0, then the requirement evaluates to true, if cups rpm is installed and the version of the installed cups rpm is greater than 1.0. If cups rpm is not installed, the requirement is evaluated to be false. The possible operators are equals (=), does not equal (<>), is greater than (>), is greater than or equal to (>=), is less than (<), and is less than or equal to (<=).

4.14.2 Filter Logic

You can use one or more filters to determine whether the policy should be applied to a device. A device must match the entire filter list (as determined by the logical operators that are explained below) for the policy to be applied to the device.

There is no technical limit to the number of filters you can use, but there are practical limits, such as:

  • Designing a filter structure that is easy to understand

  • Organizing the filters so that you do not create conflicting filters

Filters, Filter Sets, and Logical Operators

You can add filters individually or in sets. Logical operators, either AND or OR, are used to combine each filter and filter set. By default, filters are combined using OR (as determined by the Combine Filters Using field) and filter sets are combined using AND. You can change the default and use AND to combined filters, in which case filter sets are automatically combined using OR. In other words, the logical operator that is to combine individual filters (within in a set) must be the opposite of the operator that is used between filter sets.

You can easily view how these logical operators work. Click both the Add Filter and Add Filter Set options a few times each to create a few filter sets, then switch between AND and OR in the Combine Filters Using field and observe how the operators change.

As you construct filters and filter sets, you can think in terms of algebraic notation parentheticals, where filters are contained within parentheses, and sets are separated into a series of parenthetical groups. Logical operators (AND and OR) separate the filters within the parentheses, and the operators are used to separate the parentheticals.

For example, “(u AND v AND w) OR (x AND y AND z)” means “match either uvw or xyz.” In the filter list, this looks like:

u AND
v AND
w
OR
x AND
y AND
z

Nested Filters and Filter Sets

Filters and filter sets cannot be nested. You can only enter them in series, and the first filter or filter set to match the device is used. Therefore, the order in which they are listed does not matter. You are simply looking for a match to cause the policy to be applied to the device.